Computers are vulnerable to malware such as viruses, worms and Trojans. Antimalware software is often deployed on computers of both organizations and individuals, in order to detect and block malware before it infects or otherwise harms the target computers. When attempting to detect malware, antimalware programs sometime generate false positives (i.e., adjudicating a file or site to be malicious when in fact it is benign). False positives can occur for various reasons, such as use of a faulty malware signature, programming error and/or aggressive heuristic techniques. A false positive is at the very least annoying to the customer, and can even render a legitimate application or the computer's operating system unusable. For customers, this can lead to system downtime, data-loss, and lack of trust in the antimalware software vendor. For the antimalware vendor, this can result in negative publicity, loss of business, and perhaps even legal action.
A typical antimalware product with a large install base can generate several thousand false positives every day. The vast majority of these false positives typically remain undetected for months. While complete prevention of false positives is not realistic, early detection of false positives being generated by an antimalware program could minimize the negative impact. However, conventional false positive detection is a manual and time consuming process performed by human analysts. Conventional analysis is also reactive, being performed by the analysts only when customers report false positives to the vendor.
It would be desirable to address these issues.